Building an advanced lab using VMware vRealize Automation – Part 7: Configure vCenter Server Appliance SSL certificates

20150630 - vRAIn part 6 we installed and configured a vCenter Server Appliance in the lab.  This will manage the various components, plus serve as an endpoint for vRealize Automation.

In this post we replace the default SSL certificates from the vCSA with trusted certificates from our in-house certificate authority.

Other posts in this series

  1. Intro
  2. Physical infrastructure – storage
  3. Physical infrastructure – networking
  4. Physical infrastructure – compute
  5. Authentication services
  6. Deploy and configure the vCenter Server Appliance
  7. Configure vCenter Server Appliance SSL certificates
  8. Deploy and configure the vRA Appliance
  9. Deploy and configure the IaaS platform
  10. Configure tenants
  11. Configure endpoint & fabric/business groups
  12. Configure blueprints (coming soon)
  13. Configure entitlements (coming soon)
  14. Configure policies (coming soon)
  15. Integration with vCloud Air (coming soon)
  16. Tidy up (coming soon)

SSL certificates

The vCSA uses self-signed certificates be default, which are great for on-critical deployments, but lack the security and professionalism of a proper deployment.  Unfortunately, a lot of companies that implement vSphere still don’t take the time to deploy their vCenter Appliances with SSL certificates signed by a Certificate Authority.

Where possible, proper SSL certificates should always be used.  When users or administrators connect to the vSphere environment they need to know that the appliance is genuine and was provisioned by the appropriate team.

For this part, I assume you have a Certificate Authority in place and have setup a template that can be used for this purpose.  If not, VMware have a great knowledgebase article which will help you create one.  This can be found at Creating a Microsoft Certificate Authority Template for SSL certificate creation in vSphere 5.x (2062108).

The CA we use in the lab is a two-tiered one hosted on Windows Server 2008 R2.  It uses an offline standalone root CA and a subordinate enterprise CA for issuing certificates.  The Certificate Revocation List is stored on an external website which can be reached from both inside and outside the network.

Create the requests

Download the latest release of OpenSSL to your workstation (currently 1.0.2d) from the OpenSSL website and install it:

20150719 - 1

Click Next >

20150719 - 2

Click Next >

20150719 - 3

Click Next >

20150719 - 4

Click Next >

20150719 - 5

Click Next >

20150719 - 6

Click Install

20150719 - 7

Click Finish.

Open PowerShell:

powershell

Create the folders needed for the certificates:

$svc_array = @("vCenterSSO","InventoryService","LogBrowser","AutoDeploy")
ForEach ($svc in $svc_array){New-Item C:\Certs\$svc -type directory}

Create the following configuration file and save as C:\Certs\gen_conf.cfg:

[ req ]
default_md = sha512
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
input_password = VMware1!
output_password = VMware1!

[ v3_req ]
basicConstraints = CA:false
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:vcsa, IP: 192.168.146.205, DNS: vcsa.lab.mdb-lab.com

[ req_distinguished_name ]
countryName = UK
stateOrProvinceName = London
localityName = London
0.organizationName = virtualhobbit
organizationalUnitName =
commonName = vcsa.lab.mdb-lab.com

The above is a generic configuration that will need to be tailored for each service (SSO, Inventory, Log Browser and AutoDeploy).

Customize for each service:

$certdir = "C:\certs"

cd $certdir

ForEach ($svc in $svc_array){

	$file = "$svc.cfg"

	$fullpath = Join-Path $certdir $svc

	$conf = Join-Path $fullpath $file

	copy $certdir\gen_conf.cfg $conf

	$content = (Get-Content $conf | %{$_ -replace "organizationalUnitName =","organizationalUnitName = $svc"})

	Set-Content -Path $conf -Value $content

}

At this point we now have a configuration file for each service. Using this we will now create a corresponding Certificate Signing Request (CSR) with:

ForEach ($svc in $svc_array){

	$workingdir = Join-Path $certdir $svc

	C:\OpenSSL\bin\openssl req -new -nodes -out $workingdir\rui.csr -keyout $workingdir\rui.key -config $workingdir\$svc.cfg

}

The following assumes you have an online Certificate Authority and have configured a template named VMwareSSL for issuing VMware certificates (substitute accordingly).

Submit the request:

$issuingCA = "issuingca.mdb-lab.com\mdb-lab.com Issuing CA"
$template = "CertificateTemplate:VMwareSSL"

ForEach ($svc in $svc_array){

	$reqfile = "rui.csr"

	$crtfile = "rui.crt"

	$workingdir = Join-Path $certdir $svc

	cd $workingdir

	certreq -submit -config $issuingCA -attrib $template $reqfile $crtfile

}

We now have a config, request, key and certificate for each service.

Remove the config and request files:

Get-ChildItem C:\Certs -include *.csr,*.cfg -Recurse | Remove-Item

Download the certificate chain from your CA:

$issuingCA = "issuingca.mdb-lab.com"
$wc = New-Object System.Net.WebClient
$wc.UseDefaultCredentials = $true
$chain = "$certdir\certnew.p7b"
$url = "https"+"://$issuingCA/certsrv/certnew.p7b?ReqID=CACert&Renewal=0&Enc=b64"

$wc.DownloadFile($url,$chain)

Convert the chain to PEM format:

$pemchain = "$certdir\certnew.pem"

C:\OpenSSL\bin\openssl pkcs7 -print_certs -in $chain -out $pemchain
Remove-Item $chain

Remove unnecessary lines from PEM file:

$cachain = "$certdir\cachain.pem"

Get-Content $pemchain | Where { $_ -notmatch "subject" -and $_ -notmatch "issuer"} | Set-Content $cachain
(Get-Content $cachain) | ? {$_.trim() -ne "" } | Set-Content $cachain
Remove-Item $pemchain

Add each certificate to the PEM file:

ForEach ($svc in $svc_array){

	$workingdir = Join-Path $certdir $svc

	Get-Content $workingdir\rui.crt,$cachain | Set-Content $workingdir\chain.pem

}

SSH to to vCenter Server Appliance and enter the password you previously set:

ssh root@vcsa.lab.mdb-lab.com

Stop the Single Sign-On and vCenter services:

service vmware-stsd stop
service vmware-vpxd stop

Create folders:

for i in vpxd inventoryservice logbrowser autodeploy; do mkdir -p ssl/$i; done

Using SCP or SFTP, upload the cachain file to the vCSA:

psftp root@vcsa.lab.mdb-lab.com
put C:\Certs\cachain.pem /root/ssl

Upload the contents of C:\Certs\vCenterSSO to /root/ssl/vpxd:

lcd C:\Certs\vCenterSSO
cd /root/ssl/vpxd
mput *

Change back to the SSH console and replace the SSL certificate:

cd /root/ssl/vpxd
/usr/sbin/vpxd_servicecfg certificate change chain.pem rui.key

Wait for the result. If it is 0 then the change was successful. If not, consult Decoding non-zero VC_CFG_RESULT for failed vpxd_servicecfg certificate changes (2057248).

cd /opt/vmware/etc/lighttpd/
mkdir BAK 
cp * BAK/

Copy the chain file from the previous steps:

cp /root/ssl/cachain.pem /opt/vmware/etc/lighttpd/ca.crt

Add the certificate to the config file:

echo "ssl.ca-file = "/opt/vmware/etc/lighttpd/ca.crt" ">> /opt/vmware/etc/lighttpd/lighttpd.conf

Start the Single Sign-On service:

service vmware-stsd start

Unregister the Inventory Service from Single Sign-On (modify server name accordingly):

cd /etc/vmware-sso/register-hooks.d
./02-inventoryservice --mode uninstall --ls-server https://vcsa.lab.mdb-lab.com:7444/lookupservice/sdk

Upload the contents of C:\Certs\InventoryService to /root/ssl/inventoryservice:

lcd C:\Certs\InventoryService
cd /root/ssl/inventoryservice
mput *

Change back to the SSH console and create .pfx file:

cd /root/ssl/inventoryservice
openssl pkcs12 -export -out rui.pfx -in chain.pem -inkey rui.key -name rui -passout pass:testpassword

Copy the relevant files to the certificate directory:

cp rui.* /usr/lib/vmware-vpx/inventoryservice/ssl

Change permissions:

cd /usr/lib/vmware-vpx/inventoryservice/ssl/
chmod 400 rui.key rui.pfx
chmod 644 rui.crt

Disable the shell history to prevent the plaintext password in the following command from appearing:

unset HISTFILE

Re-register the Inventory Service with Single Sign-On (substitute accordingly):

cd /etc/vmware-sso/register-hooks.d
./02-inventoryservice --mode install --ls-server https://vcsa.lab.mdb-lab.com:7444/lookupservice/sdk --user Administrator@vsphere.local --password VMware1!

Restart services:

service vmware-inventoryservice stop
service vmware-vpxd stop
service vmware-inventoryservice start
service vmware-vpxd start

Unregister the Log Browser service from Single Sign-On:

cd /etc/vmware-sso/register-hooks.d
./09-vmware-logbrowser --mode uninstall --ls-server https://server.domain.com:7444/lookupservice/sdk

Upload the contents of C:\Certs\LogBrowser to /root/ssl/logbrowser:

lcd C:\Certs\LogBrowser
cd /root/ssl/logbrowser
mput *

Change back to the SSH console and create .pfx file:

cd /root/ssl/logbrowser
openssl pkcs12 -export -in chain.pem -inkey rui.key -name rui -passout pass:testpassword -out rui.pfx

Copy the relevant files to the certificate directory:

cp rui.* /usr/lib/vmware-logbrowser/conf

Change permissions:

cd /usr/lib/vmware-logbrowser/conf
chmod 400 rui.key rui.pfx
chmod 644 rui.crt

Re-register the Log Browser Service with Single Sign-On (substitute accordingly):

cd /etc/vmware-sso/register-hooks.d
./09-vmware-logbrowser --mode install --ls-server https://vcsa.lab.mdb-lab.com:7444/lookupservice/sdk --user Administrator@vsphere.local --password VMware1!

Restart services:

service vmware-logbrowser stop
service vmware-logbrowser start

Upload the contents of C:\Certs\AutoDeploy to /root/ssl/autodeploy:

lcd C:\Certs\AutoDeploy
cd /root/ssl/autodeploy
mput rui.*

Change back to the SSH console and copy files:

cd /root/ssl/autodeploy
cp /root/ssl/autodeploy/rui.crt /etc/vmware-rbd/ssl/waiter.crt
cp /root/ssl/autodeploy/rui.key /etc/vmware-rbd/ssl/waiter.key

Change permissions and ownership:

cd /etc/vmware-rbd/ssl/
chmod 644 waiter.crt
chmod 400 waiter.key
chown deploy:deploy waiter.crt waiter.key

Re-register the AutoDeploy Service with Single Sign-On (substitute accordingly):

service vmware-rbd-watchdog stop
if [ -f /var/vmware/vpxd/autodeploy_registered ]; then rm -f /var/vmware/vpxd/autodeploy_registered; fi
service vmware-vpxd restart

Reboot the appliance:

reboot

The complete PowerCLI script to the above can be found at https://github.com/virtualhobbit/blog/blob/master/gen_certs.ps1.

Coming up

In this part we configured our vCenter Server Appliance to use SSL certificates signed by a Certificate Authority.

In part 8 we deploy and configure the vRealize Automation Appliance.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s